Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(68)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/name_constraints_unittest.cc

Issue 1573243011: Refactor der::Input helper methods into new constructors (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: fix nits Created 4 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/internal/certificate_policies_unittest.cc ('k') | net/cert/internal/parse_certificate_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/name_constraints.h" 5 #include "net/cert/internal/name_constraints.h"
6 6
7 #include "net/cert/internal/test_helpers.h" 7 #include "net/cert/internal/test_helpers.h"
8 #include "testing/gtest/include/gtest/gtest.h" 8 #include "testing/gtest/include/gtest/gtest.h"
9 9
10 namespace net { 10 namespace net {
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after
49 // supported name types, the results should be the same for both. 49 // supported name types, the results should be the same for both.
50 INSTANTIATE_TEST_CASE_P(InstantiationName, 50 INSTANTIATE_TEST_CASE_P(InstantiationName,
51 ParseNameConstraints, 51 ParseNameConstraints,
52 ::testing::Values(true, false)); 52 ::testing::Values(true, false));
53 53
54 TEST_P(ParseNameConstraints, DNSNames) { 54 TEST_P(ParseNameConstraints, DNSNames) {
55 std::string a; 55 std::string a;
56 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a)); 56 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
57 57
58 scoped_ptr<NameConstraints> name_constraints( 58 scoped_ptr<NameConstraints> name_constraints(
59 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); 59 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
60 ASSERT_TRUE(name_constraints); 60 ASSERT_TRUE(name_constraints);
61 61
62 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com")); 62 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
63 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com.")); 63 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com."));
64 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example.com")); 64 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example.com"));
65 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com")); 65 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com"));
66 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com.")); 66 EXPECT_FALSE(name_constraints->IsPermittedDNSName("apermitted.example.com."));
67 EXPECT_TRUE( 67 EXPECT_TRUE(
68 name_constraints->IsPermittedDNSName("alsopermitted.example.com")); 68 name_constraints->IsPermittedDNSName("alsopermitted.example.com"));
69 EXPECT_FALSE( 69 EXPECT_FALSE(
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after
116 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com.")); 116 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example3.com."));
117 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example3.com")); 117 EXPECT_TRUE(name_constraints->IsPermittedDNSName("a.permitted.example3.com"));
118 EXPECT_TRUE( 118 EXPECT_TRUE(
119 name_constraints->IsPermittedDNSName("a.permitted.example3.com.")); 119 name_constraints->IsPermittedDNSName("a.permitted.example3.com."));
120 120
121 EXPECT_EQ(GENERAL_NAME_DNS_NAME, name_constraints->ConstrainedNameTypes()); 121 EXPECT_EQ(GENERAL_NAME_DNS_NAME, name_constraints->ConstrainedNameTypes());
122 122
123 std::string san; 123 std::string san;
124 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san)); 124 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san));
125 EXPECT_TRUE( 125 EXPECT_TRUE(
126 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san))); 126 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
127 127
128 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san)); 128 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san));
129 EXPECT_FALSE( 129 EXPECT_FALSE(
130 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san))); 130 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
131 131
132 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san)); 132 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san));
133 EXPECT_TRUE( 133 EXPECT_TRUE(
134 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san))); 134 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
135 135
136 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); 136 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san));
137 EXPECT_TRUE( 137 EXPECT_TRUE(
138 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san))); 138 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
139 } 139 }
140 140
141 TEST_P(ParseNameConstraints, 141 TEST_P(ParseNameConstraints,
142 DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted) { 142 DNSNamesWithMultipleLevelsBetweenExcludedAndPermitted) {
143 std::string a; 143 std::string a;
144 ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a)); 144 ASSERT_TRUE(LoadTestNameConstraint("dnsname2.pem", &a));
145 scoped_ptr<NameConstraints> name_constraints( 145 scoped_ptr<NameConstraints> name_constraints(
146 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); 146 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
147 ASSERT_TRUE(name_constraints); 147 ASSERT_TRUE(name_constraints);
148 148
149 // Matches permitted exactly. 149 // Matches permitted exactly.
150 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com")); 150 EXPECT_TRUE(name_constraints->IsPermittedDNSName("com"));
151 // Contained within permitted and doesn't match excluded (foo.bar.com). 151 // Contained within permitted and doesn't match excluded (foo.bar.com).
152 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com")); 152 EXPECT_TRUE(name_constraints->IsPermittedDNSName("bar.com"));
153 EXPECT_TRUE(name_constraints->IsPermittedDNSName("baz.bar.com")); 153 EXPECT_TRUE(name_constraints->IsPermittedDNSName("baz.bar.com"));
154 // Matches excluded exactly. 154 // Matches excluded exactly.
155 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com")); 155 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
156 // Contained within excluded. 156 // Contained within excluded.
157 EXPECT_FALSE(name_constraints->IsPermittedDNSName("baz.foo.bar.com")); 157 EXPECT_FALSE(name_constraints->IsPermittedDNSName("baz.foo.bar.com"));
158 158
159 // Cannot match anything within excluded. 159 // Cannot match anything within excluded.
160 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.baz.bar.com")); 160 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.baz.bar.com"));
161 // Wildcard hostnames only match a single label, so cannot match excluded 161 // Wildcard hostnames only match a single label, so cannot match excluded
162 // which has two labels before .com. 162 // which has two labels before .com.
163 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.com")); 163 EXPECT_TRUE(name_constraints->IsPermittedDNSName("*.com"));
164 164
165 // Partial match of foo.bar.com. 165 // Partial match of foo.bar.com.
166 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com")); 166 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.bar.com"));
167 // All expansions of wildcard are within excluded. 167 // All expansions of wildcard are within excluded.
168 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.foo.bar.com")); 168 EXPECT_FALSE(name_constraints->IsPermittedDNSName("*.foo.bar.com"));
169 } 169 }
170 170
171 TEST_P(ParseNameConstraints, DNSNamesWithLeadingDot) { 171 TEST_P(ParseNameConstraints, DNSNamesWithLeadingDot) {
172 std::string a; 172 std::string a;
173 ASSERT_TRUE( 173 ASSERT_TRUE(
174 LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a)); 174 LoadTestNameConstraint("dnsname-permitted_with_leading_dot.pem", &a));
175 scoped_ptr<NameConstraints> name_constraints( 175 scoped_ptr<NameConstraints> name_constraints(
176 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); 176 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
177 ASSERT_TRUE(name_constraints); 177 ASSERT_TRUE(name_constraints);
178 178
179 // dNSName constraints should be specified as a host. A dNSName constraint 179 // dNSName constraints should be specified as a host. A dNSName constraint
180 // with a leading "." doesn't make sense, though some certs include it 180 // with a leading "." doesn't make sense, though some certs include it
181 // (probably confusing it with the rules for uniformResourceIdentifier 181 // (probably confusing it with the rules for uniformResourceIdentifier
182 // constraints). It should not match anything. 182 // constraints). It should not match anything.
183 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com")); 183 EXPECT_FALSE(name_constraints->IsPermittedDNSName("com"));
184 EXPECT_FALSE(name_constraints->IsPermittedDNSName("bar.com")); 184 EXPECT_FALSE(name_constraints->IsPermittedDNSName("bar.com"));
185 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com")); 185 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.bar.com"));
186 } 186 }
187 187
188 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) { 188 TEST_P(ParseNameConstraints, DNSNamesExcludeOnly) {
189 std::string a; 189 std::string a;
190 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a)); 190 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excluded.pem", &a));
191 191
192 scoped_ptr<NameConstraints> name_constraints( 192 scoped_ptr<NameConstraints> name_constraints(
193 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); 193 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
194 ASSERT_TRUE(name_constraints); 194 ASSERT_TRUE(name_constraints);
195 195
196 // Only "excluded.permitted.example.com" is excluded, but since no dNSNames 196 // Only "excluded.permitted.example.com" is excluded, but since no dNSNames
197 // are permitted, everything is excluded. 197 // are permitted, everything is excluded.
198 EXPECT_FALSE(name_constraints->IsPermittedDNSName("")); 198 EXPECT_FALSE(name_constraints->IsPermittedDNSName(""));
199 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com")); 199 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
200 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com")); 200 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com"));
201 EXPECT_FALSE( 201 EXPECT_FALSE(
202 name_constraints->IsPermittedDNSName("excluded.permitted.example.com")); 202 name_constraints->IsPermittedDNSName("excluded.permitted.example.com"));
203 EXPECT_FALSE( 203 EXPECT_FALSE(
204 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com")); 204 name_constraints->IsPermittedDNSName("a.excluded.permitted.example.com"));
205 } 205 }
206 206
207 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) { 207 TEST_P(ParseNameConstraints, DNSNamesExcludeAll) {
208 std::string a; 208 std::string a;
209 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a)); 209 ASSERT_TRUE(LoadTestNameConstraint("dnsname-excludeall.pem", &a));
210 210
211 scoped_ptr<NameConstraints> name_constraints( 211 scoped_ptr<NameConstraints> name_constraints(
212 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); 212 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
213 ASSERT_TRUE(name_constraints); 213 ASSERT_TRUE(name_constraints);
214 214
215 // "permitted.example.com" is in the permitted section, but since "" is 215 // "permitted.example.com" is in the permitted section, but since "" is
216 // excluded, nothing is permitted. 216 // excluded, nothing is permitted.
217 EXPECT_FALSE(name_constraints->IsPermittedDNSName("")); 217 EXPECT_FALSE(name_constraints->IsPermittedDNSName(""));
218 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com")); 218 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
219 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com")); 219 EXPECT_FALSE(name_constraints->IsPermittedDNSName("permitted.example.com"));
220 EXPECT_FALSE( 220 EXPECT_FALSE(
221 name_constraints->IsPermittedDNSName("foo.permitted.example.com")); 221 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
222 } 222 }
223 223
224 TEST_P(ParseNameConstraints, DNSNamesExcludeDot) { 224 TEST_P(ParseNameConstraints, DNSNamesExcludeDot) {
225 std::string a; 225 std::string a;
226 ASSERT_TRUE(LoadTestNameConstraint("dnsname-exclude_dot.pem", &a)); 226 ASSERT_TRUE(LoadTestNameConstraint("dnsname-exclude_dot.pem", &a));
227 227
228 scoped_ptr<NameConstraints> name_constraints( 228 scoped_ptr<NameConstraints> name_constraints(
229 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); 229 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
230 ASSERT_TRUE(name_constraints); 230 ASSERT_TRUE(name_constraints);
231 231
232 // "." is excluded, which should match nothing. 232 // "." is excluded, which should match nothing.
233 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com")); 233 EXPECT_FALSE(name_constraints->IsPermittedDNSName("foo.com"));
234 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com")); 234 EXPECT_TRUE(name_constraints->IsPermittedDNSName("permitted.example.com"));
235 EXPECT_TRUE( 235 EXPECT_TRUE(
236 name_constraints->IsPermittedDNSName("foo.permitted.example.com")); 236 name_constraints->IsPermittedDNSName("foo.permitted.example.com"));
237 } 237 }
238 238
239 TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) { 239 TEST_P(ParseNameConstraints, DNSNamesFailOnInvalidIA5String) {
240 std::string a; 240 std::string a;
241 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a)); 241 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &a));
242 242
243 size_t replace_location = a.find("permitted.example2.com"); 243 size_t replace_location = a.find("permitted.example2.com");
244 ASSERT_NE(std::string::npos, replace_location); 244 ASSERT_NE(std::string::npos, replace_location);
245 a.replace(replace_location, 1, 1, -1); 245 a.replace(replace_location, 1, 1, -1);
246 246
247 EXPECT_FALSE( 247 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
248 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
249 } 248 }
250 249
251 TEST_P(ParseNameConstraints, DirectoryNames) { 250 TEST_P(ParseNameConstraints, DirectoryNames) {
252 std::string constraints_der; 251 std::string constraints_der;
253 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der)); 252 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
254 253
255 std::string name_us; 254 std::string name_us;
256 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); 255 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
257 std::string name_us_ca; 256 std::string name_us_ca;
258 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); 257 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
259 std::string name_us_ca_mountain_view; 258 std::string name_us_ca_mountain_view;
260 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", 259 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
261 &name_us_ca_mountain_view)); 260 &name_us_ca_mountain_view));
262 std::string name_us_az; 261 std::string name_us_az;
263 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az)); 262 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az));
264 std::string name_jp; 263 std::string name_jp;
265 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp)); 264 ASSERT_TRUE(LoadTestName("name-jp.pem", &name_jp));
266 std::string name_jp_tokyo; 265 std::string name_jp_tokyo;
267 ASSERT_TRUE(LoadTestName("name-jp-tokyo.pem", &name_jp_tokyo)); 266 ASSERT_TRUE(LoadTestName("name-jp-tokyo.pem", &name_jp_tokyo));
268 std::string name_de; 267 std::string name_de;
269 ASSERT_TRUE(LoadTestName("name-de.pem", &name_de)); 268 ASSERT_TRUE(LoadTestName("name-de.pem", &name_de));
270 std::string name_ca; 269 std::string name_ca;
271 ASSERT_TRUE(LoadTestName("name-ca.pem", &name_ca)); 270 ASSERT_TRUE(LoadTestName("name-ca.pem", &name_ca));
272 271
273 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 272 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
274 InputFromString(&constraints_der), is_critical())); 273 der::Input(&constraints_der), is_critical()));
275 ASSERT_TRUE(name_constraints); 274 ASSERT_TRUE(name_constraints);
276 275
277 // Not in any permitted subtree. 276 // Not in any permitted subtree.
278 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 277 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
279 SequenceValueFromString(&name_ca))); 278 SequenceValueFromString(&name_ca)));
280 // Within the permitted C=US subtree. 279 // Within the permitted C=US subtree.
281 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( 280 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
282 SequenceValueFromString(&name_us))); 281 SequenceValueFromString(&name_us)));
283 // Within the permitted C=US subtree. 282 // Within the permitted C=US subtree.
284 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName( 283 EXPECT_TRUE(name_constraints->IsPermittedDirectoryName(
(...skipping 25 matching lines...) Expand all
310 EXPECT_TRUE(name_constraints->IsPermittedCert( 309 EXPECT_TRUE(name_constraints->IsPermittedCert(
311 SequenceValueFromString(&name_us), der::Input())); 310 SequenceValueFromString(&name_us), der::Input()));
312 // Within the permitted C=US subtree, however the excluded C=US,ST=California 311 // Within the permitted C=US subtree, however the excluded C=US,ST=California
313 // subtree takes priority. 312 // subtree takes priority.
314 EXPECT_FALSE(name_constraints->IsPermittedCert( 313 EXPECT_FALSE(name_constraints->IsPermittedCert(
315 SequenceValueFromString(&name_us_ca), der::Input())); 314 SequenceValueFromString(&name_us_ca), der::Input()));
316 315
317 std::string san; 316 std::string san;
318 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san)); 317 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san));
319 EXPECT_TRUE( 318 EXPECT_TRUE(
320 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san))); 319 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
321 320
322 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san)); 321 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san));
323 EXPECT_TRUE( 322 EXPECT_TRUE(
324 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san))); 323 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
325 324
326 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san)); 325 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san));
327 EXPECT_FALSE( 326 EXPECT_FALSE(
328 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san))); 327 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
329 328
330 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); 329 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san));
331 EXPECT_TRUE( 330 EXPECT_TRUE(
332 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san))); 331 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
333 } 332 }
334 333
335 TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) { 334 TEST_P(ParseNameConstraints, DirectoryNamesExcludeOnly) {
336 std::string constraints_der; 335 std::string constraints_der;
337 ASSERT_TRUE( 336 ASSERT_TRUE(
338 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der)); 337 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der));
339 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 338 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
340 InputFromString(&constraints_der), is_critical())); 339 der::Input(&constraints_der), is_critical()));
341 ASSERT_TRUE(name_constraints); 340 ASSERT_TRUE(name_constraints);
342 341
343 std::string name_empty; 342 std::string name_empty;
344 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); 343 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
345 std::string name_us; 344 std::string name_us;
346 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); 345 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
347 std::string name_us_ca; 346 std::string name_us_ca;
348 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); 347 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
349 std::string name_us_ca_mountain_view; 348 std::string name_us_ca_mountain_view;
350 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", 349 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
351 &name_us_ca_mountain_view)); 350 &name_us_ca_mountain_view));
352 351
353 // Only "C=US,ST=California" is excluded, but since no directoryNames are 352 // Only "C=US,ST=California" is excluded, but since no directoryNames are
354 // permitted, everything is excluded. 353 // permitted, everything is excluded.
355 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 354 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
356 SequenceValueFromString(&name_empty))); 355 SequenceValueFromString(&name_empty)));
357 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 356 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
358 SequenceValueFromString(&name_us))); 357 SequenceValueFromString(&name_us)));
359 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 358 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
360 SequenceValueFromString(&name_us_ca))); 359 SequenceValueFromString(&name_us_ca)));
361 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 360 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
362 SequenceValueFromString(&name_us_ca_mountain_view))); 361 SequenceValueFromString(&name_us_ca_mountain_view)));
363 } 362 }
364 363
365 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) { 364 TEST_P(ParseNameConstraints, DirectoryNamesExcludeAll) {
366 std::string constraints_der; 365 std::string constraints_der;
367 ASSERT_TRUE( 366 ASSERT_TRUE(
368 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der)); 367 LoadTestNameConstraint("directoryname-excluded.pem", &constraints_der));
369 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 368 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
370 InputFromString(&constraints_der), is_critical())); 369 der::Input(&constraints_der), is_critical()));
371 ASSERT_TRUE(name_constraints); 370 ASSERT_TRUE(name_constraints);
372 371
373 std::string name_empty; 372 std::string name_empty;
374 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty)); 373 ASSERT_TRUE(LoadTestName("name-empty.pem", &name_empty));
375 std::string name_us; 374 std::string name_us;
376 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us)); 375 ASSERT_TRUE(LoadTestName("name-us.pem", &name_us));
377 std::string name_us_ca; 376 std::string name_us_ca;
378 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca)); 377 ASSERT_TRUE(LoadTestName("name-us-california.pem", &name_us_ca));
379 std::string name_us_ca_mountain_view; 378 std::string name_us_ca_mountain_view;
380 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem", 379 ASSERT_TRUE(LoadTestName("name-us-california-mountain_view.pem",
(...skipping 11 matching lines...) Expand all
392 SequenceValueFromString(&name_us_ca))); 391 SequenceValueFromString(&name_us_ca)));
393 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName( 392 EXPECT_FALSE(name_constraints->IsPermittedDirectoryName(
394 SequenceValueFromString(&name_jp))); 393 SequenceValueFromString(&name_jp)));
395 } 394 }
396 395
397 TEST_P(ParseNameConstraints, IPAdresses) { 396 TEST_P(ParseNameConstraints, IPAdresses) {
398 std::string a; 397 std::string a;
399 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a)); 398 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &a));
400 399
401 scoped_ptr<NameConstraints> name_constraints( 400 scoped_ptr<NameConstraints> name_constraints(
402 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); 401 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
403 ASSERT_TRUE(name_constraints); 402 ASSERT_TRUE(name_constraints);
404 403
405 // IPv4 tests: 404 // IPv4 tests:
406 { 405 {
407 // Not in any permitted range. 406 // Not in any permitted range.
408 const uint8_t ip4[] = {192, 169, 0, 1}; 407 const uint8_t ip4[] = {192, 169, 0, 1};
409 EXPECT_FALSE(name_constraints->IsPermittedIP( 408 EXPECT_FALSE(name_constraints->IsPermittedIP(
410 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 409 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
411 } 410 }
412 { 411 {
(...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after
538 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 10, 5, 33, 0, 1}; 537 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 10, 5, 33, 0, 1};
539 EXPECT_FALSE(name_constraints->IsPermittedIP( 538 EXPECT_FALSE(name_constraints->IsPermittedIP(
540 IPAddressNumber(ip6, ip6 + arraysize(ip6)))); 539 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
541 } 540 }
542 541
543 EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, name_constraints->ConstrainedNameTypes()); 542 EXPECT_EQ(GENERAL_NAME_IP_ADDRESS, name_constraints->ConstrainedNameTypes());
544 543
545 std::string san; 544 std::string san;
546 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san)); 545 ASSERT_TRUE(LoadTestSubjectAltName("san-permitted.pem", &san));
547 EXPECT_TRUE( 546 EXPECT_TRUE(
548 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san))); 547 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
549 548
550 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san)); 549 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-dnsname.pem", &san));
551 EXPECT_TRUE( 550 EXPECT_TRUE(
552 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san))); 551 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
553 552
554 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san)); 553 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-directoryname.pem", &san));
555 EXPECT_TRUE( 554 EXPECT_TRUE(
556 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san))); 555 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
557 556
558 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san)); 557 ASSERT_TRUE(LoadTestSubjectAltName("san-excluded-ipaddress.pem", &san));
559 EXPECT_FALSE( 558 EXPECT_FALSE(
560 name_constraints->IsPermittedCert(der::Input(), InputFromString(&san))); 559 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
561 } 560 }
562 561
563 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) { 562 TEST_P(ParseNameConstraints, IPAdressesExcludeOnly) {
564 std::string a; 563 std::string a;
565 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a)); 564 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excluded.pem", &a));
566 565
567 scoped_ptr<NameConstraints> name_constraints( 566 scoped_ptr<NameConstraints> name_constraints(
568 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); 567 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
569 ASSERT_TRUE(name_constraints); 568 ASSERT_TRUE(name_constraints);
570 569
571 // Only 192.168.5.0/255.255.255.0 is excluded, but since no iPAddresses 570 // Only 192.168.5.0/255.255.255.0 is excluded, but since no iPAddresses
572 // are permitted, everything is excluded. 571 // are permitted, everything is excluded.
573 { 572 {
574 const uint8_t ip4[] = {192, 168, 0, 1}; 573 const uint8_t ip4[] = {192, 168, 0, 1};
575 EXPECT_FALSE(name_constraints->IsPermittedIP( 574 EXPECT_FALSE(name_constraints->IsPermittedIP(
576 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 575 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
577 } 576 }
578 { 577 {
579 const uint8_t ip4[] = {192, 168, 5, 1}; 578 const uint8_t ip4[] = {192, 168, 5, 1};
580 EXPECT_FALSE(name_constraints->IsPermittedIP( 579 EXPECT_FALSE(name_constraints->IsPermittedIP(
581 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 580 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
582 } 581 }
583 { 582 {
584 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1}; 583 const uint8_t ip6[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 0, 0, 0, 1};
585 EXPECT_FALSE(name_constraints->IsPermittedIP( 584 EXPECT_FALSE(name_constraints->IsPermittedIP(
586 IPAddressNumber(ip6, ip6 + arraysize(ip6)))); 585 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
587 } 586 }
588 } 587 }
589 588
590 TEST_P(ParseNameConstraints, IPAdressesExcludeAll) { 589 TEST_P(ParseNameConstraints, IPAdressesExcludeAll) {
591 std::string a; 590 std::string a;
592 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a)); 591 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-excludeall.pem", &a));
593 592
594 scoped_ptr<NameConstraints> name_constraints( 593 scoped_ptr<NameConstraints> name_constraints(
595 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); 594 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
596 ASSERT_TRUE(name_constraints); 595 ASSERT_TRUE(name_constraints);
597 596
598 // 192.168.0.0/255.255.0.0 and 597 // 192.168.0.0/255.255.0.0 and
599 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: are permitted, 598 // 102:304:506:708:90a:b0c::/ffff:ffff:ffff:ffff:ffff:ffff:: are permitted,
600 // but since 0.0.0.0/0 and ::/0 are excluded nothing is permitted. 599 // but since 0.0.0.0/0 and ::/0 are excluded nothing is permitted.
601 { 600 {
602 const uint8_t ip4[] = {192, 168, 0, 1}; 601 const uint8_t ip4[] = {192, 168, 0, 1};
603 EXPECT_FALSE(name_constraints->IsPermittedIP( 602 EXPECT_FALSE(name_constraints->IsPermittedIP(
604 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 603 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
605 } 604 }
(...skipping 12 matching lines...) Expand all
618 EXPECT_FALSE(name_constraints->IsPermittedIP( 617 EXPECT_FALSE(name_constraints->IsPermittedIP(
619 IPAddressNumber(ip6, ip6 + arraysize(ip6)))); 618 IPAddressNumber(ip6, ip6 + arraysize(ip6))));
620 } 619 }
621 } 620 }
622 621
623 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) { 622 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitSingleHost) {
624 std::string a; 623 std::string a;
625 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a)); 624 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_singlehost.pem", &a));
626 625
627 scoped_ptr<NameConstraints> name_constraints( 626 scoped_ptr<NameConstraints> name_constraints(
628 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); 627 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
629 ASSERT_TRUE(name_constraints); 628 ASSERT_TRUE(name_constraints);
630 629
631 { 630 {
632 const uint8_t ip4[] = {0, 0, 0, 0}; 631 const uint8_t ip4[] = {0, 0, 0, 0};
633 EXPECT_FALSE(name_constraints->IsPermittedIP( 632 EXPECT_FALSE(name_constraints->IsPermittedIP(
634 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 633 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
635 } 634 }
636 { 635 {
637 const uint8_t ip4[] = {192, 168, 1, 1}; 636 const uint8_t ip4[] = {192, 168, 1, 1};
638 EXPECT_FALSE(name_constraints->IsPermittedIP( 637 EXPECT_FALSE(name_constraints->IsPermittedIP(
(...skipping 19 matching lines...) Expand all
658 EXPECT_FALSE(name_constraints->IsPermittedIP( 657 EXPECT_FALSE(name_constraints->IsPermittedIP(
659 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 658 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
660 } 659 }
661 } 660 }
662 661
663 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) { 662 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen31) {
664 std::string a; 663 std::string a;
665 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a)); 664 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix31.pem", &a));
666 665
667 scoped_ptr<NameConstraints> name_constraints( 666 scoped_ptr<NameConstraints> name_constraints(
668 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); 667 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
669 ASSERT_TRUE(name_constraints); 668 ASSERT_TRUE(name_constraints);
670 669
671 { 670 {
672 const uint8_t ip4[] = {0, 0, 0, 0}; 671 const uint8_t ip4[] = {0, 0, 0, 0};
673 EXPECT_FALSE(name_constraints->IsPermittedIP( 672 EXPECT_FALSE(name_constraints->IsPermittedIP(
674 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 673 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
675 } 674 }
676 { 675 {
677 const uint8_t ip4[] = {192, 168, 1, 1}; 676 const uint8_t ip4[] = {192, 168, 1, 1};
678 EXPECT_FALSE(name_constraints->IsPermittedIP( 677 EXPECT_FALSE(name_constraints->IsPermittedIP(
(...skipping 24 matching lines...) Expand all
703 EXPECT_FALSE(name_constraints->IsPermittedIP( 702 EXPECT_FALSE(name_constraints->IsPermittedIP(
704 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 703 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
705 } 704 }
706 } 705 }
707 706
708 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) { 707 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitPrefixLen1) {
709 std::string a; 708 std::string a;
710 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a)); 709 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_prefix1.pem", &a));
711 710
712 scoped_ptr<NameConstraints> name_constraints( 711 scoped_ptr<NameConstraints> name_constraints(
713 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); 712 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
714 ASSERT_TRUE(name_constraints); 713 ASSERT_TRUE(name_constraints);
715 714
716 { 715 {
717 const uint8_t ip4[] = {0, 0, 0, 0}; 716 const uint8_t ip4[] = {0, 0, 0, 0};
718 EXPECT_FALSE(name_constraints->IsPermittedIP( 717 EXPECT_FALSE(name_constraints->IsPermittedIP(
719 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 718 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
720 } 719 }
721 { 720 {
722 const uint8_t ip4[] = {0x7F, 0xFF, 0xFF, 0xFF}; 721 const uint8_t ip4[] = {0x7F, 0xFF, 0xFF, 0xFF};
723 EXPECT_FALSE(name_constraints->IsPermittedIP( 722 EXPECT_FALSE(name_constraints->IsPermittedIP(
724 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 723 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
725 } 724 }
726 { 725 {
727 const uint8_t ip4[] = {0x80, 0, 0, 0}; 726 const uint8_t ip4[] = {0x80, 0, 0, 0};
728 EXPECT_TRUE(name_constraints->IsPermittedIP( 727 EXPECT_TRUE(name_constraints->IsPermittedIP(
729 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 728 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
730 } 729 }
731 { 730 {
732 const uint8_t ip4[] = {0xFF, 0xFF, 0xFF, 0xFF}; 731 const uint8_t ip4[] = {0xFF, 0xFF, 0xFF, 0xFF};
733 EXPECT_TRUE(name_constraints->IsPermittedIP( 732 EXPECT_TRUE(name_constraints->IsPermittedIP(
734 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 733 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
735 } 734 }
736 } 735 }
737 736
738 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) { 737 TEST_P(ParseNameConstraints, IPAdressesNetmaskPermitAll) {
739 std::string a; 738 std::string a;
740 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a)); 739 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-permit_all.pem", &a));
741 740
742 scoped_ptr<NameConstraints> name_constraints( 741 scoped_ptr<NameConstraints> name_constraints(
743 NameConstraints::CreateFromDer(InputFromString(&a), is_critical())); 742 NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
744 ASSERT_TRUE(name_constraints); 743 ASSERT_TRUE(name_constraints);
745 744
746 { 745 {
747 const uint8_t ip4[] = {0, 0, 0, 0}; 746 const uint8_t ip4[] = {0, 0, 0, 0};
748 EXPECT_TRUE(name_constraints->IsPermittedIP( 747 EXPECT_TRUE(name_constraints->IsPermittedIP(
749 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 748 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
750 } 749 }
751 { 750 {
752 const uint8_t ip4[] = {192, 168, 1, 1}; 751 const uint8_t ip4[] = {192, 168, 1, 1};
753 EXPECT_TRUE(name_constraints->IsPermittedIP( 752 EXPECT_TRUE(name_constraints->IsPermittedIP(
754 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 753 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
755 } 754 }
756 { 755 {
757 const uint8_t ip4[] = {255, 255, 255, 255}; 756 const uint8_t ip4[] = {255, 255, 255, 255};
758 EXPECT_TRUE(name_constraints->IsPermittedIP( 757 EXPECT_TRUE(name_constraints->IsPermittedIP(
759 IPAddressNumber(ip4, ip4 + arraysize(ip4)))); 758 IPAddressNumber(ip4, ip4 + arraysize(ip4))));
760 } 759 }
761 } 760 }
762 761
763 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidAddr) { 762 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidAddr) {
764 std::string a; 763 std::string a;
765 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a)); 764 ASSERT_TRUE(LoadTestNameConstraint("ipaddress-invalid_addr.pem", &a));
766 765
767 EXPECT_FALSE( 766 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
768 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
769 } 767 }
770 768
771 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidMaskNotContiguous) { 769 TEST_P(ParseNameConstraints, IPAdressesFailOnInvalidMaskNotContiguous) {
772 std::string a; 770 std::string a;
773 ASSERT_TRUE(LoadTestNameConstraint( 771 ASSERT_TRUE(LoadTestNameConstraint(
774 "ipaddress-invalid_mask_not_contiguous_1.pem", &a)); 772 "ipaddress-invalid_mask_not_contiguous_1.pem", &a));
775 EXPECT_FALSE( 773 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
776 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
777 774
778 ASSERT_TRUE(LoadTestNameConstraint( 775 ASSERT_TRUE(LoadTestNameConstraint(
779 "ipaddress-invalid_mask_not_contiguous_2.pem", &a)); 776 "ipaddress-invalid_mask_not_contiguous_2.pem", &a));
780 EXPECT_FALSE( 777 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
781 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
782 778
783 ASSERT_TRUE(LoadTestNameConstraint( 779 ASSERT_TRUE(LoadTestNameConstraint(
784 "ipaddress-invalid_mask_not_contiguous_3.pem", &a)); 780 "ipaddress-invalid_mask_not_contiguous_3.pem", &a));
785 EXPECT_FALSE( 781 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
786 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
787 782
788 ASSERT_TRUE(LoadTestNameConstraint( 783 ASSERT_TRUE(LoadTestNameConstraint(
789 "ipaddress-invalid_mask_not_contiguous_4.pem", &a)); 784 "ipaddress-invalid_mask_not_contiguous_4.pem", &a));
790 EXPECT_FALSE( 785 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&a), is_critical()));
791 NameConstraints::CreateFromDer(InputFromString(&a), is_critical()));
792 } 786 }
793 787
794 TEST_P(ParseNameConstraints, OtherNamesInPermitted) { 788 TEST_P(ParseNameConstraints, OtherNamesInPermitted) {
795 std::string constraints_der; 789 std::string constraints_der;
796 ASSERT_TRUE( 790 ASSERT_TRUE(
797 LoadTestNameConstraint("othername-permitted.pem", &constraints_der)); 791 LoadTestNameConstraint("othername-permitted.pem", &constraints_der));
798 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 792 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
799 InputFromString(&constraints_der), is_critical())); 793 der::Input(&constraints_der), is_critical()));
800 ASSERT_TRUE(name_constraints); 794 ASSERT_TRUE(name_constraints);
801 795
802 if (is_critical()) { 796 if (is_critical()) {
803 EXPECT_EQ(GENERAL_NAME_OTHER_NAME, 797 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
804 name_constraints->ConstrainedNameTypes()); 798 name_constraints->ConstrainedNameTypes());
805 } else { 799 } else {
806 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 800 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
807 } 801 }
808 802
809 std::string san; 803 std::string san;
810 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); 804 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san));
811 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( 805 EXPECT_EQ(!is_critical(),
812 der::Input(), InputFromString(&san))); 806 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
813 } 807 }
814 808
815 TEST_P(ParseNameConstraints, OtherNamesInExcluded) { 809 TEST_P(ParseNameConstraints, OtherNamesInExcluded) {
816 std::string constraints_der; 810 std::string constraints_der;
817 ASSERT_TRUE( 811 ASSERT_TRUE(
818 LoadTestNameConstraint("othername-excluded.pem", &constraints_der)); 812 LoadTestNameConstraint("othername-excluded.pem", &constraints_der));
819 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 813 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
820 InputFromString(&constraints_der), is_critical())); 814 der::Input(&constraints_der), is_critical()));
821 ASSERT_TRUE(name_constraints); 815 ASSERT_TRUE(name_constraints);
822 816
823 if (is_critical()) { 817 if (is_critical()) {
824 EXPECT_EQ(GENERAL_NAME_OTHER_NAME, 818 EXPECT_EQ(GENERAL_NAME_OTHER_NAME,
825 name_constraints->ConstrainedNameTypes()); 819 name_constraints->ConstrainedNameTypes());
826 } else { 820 } else {
827 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 821 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
828 } 822 }
829 823
830 std::string san; 824 std::string san;
831 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san)); 825 ASSERT_TRUE(LoadTestSubjectAltName("san-othername.pem", &san));
832 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( 826 EXPECT_EQ(!is_critical(),
833 der::Input(), InputFromString(&san))); 827 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
834 } 828 }
835 829
836 TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) { 830 TEST_P(ParseNameConstraints, Rfc822NamesInPermitted) {
837 std::string constraints_der; 831 std::string constraints_der;
838 ASSERT_TRUE( 832 ASSERT_TRUE(
839 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); 833 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
840 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 834 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
841 InputFromString(&constraints_der), is_critical())); 835 der::Input(&constraints_der), is_critical()));
842 ASSERT_TRUE(name_constraints); 836 ASSERT_TRUE(name_constraints);
843 837
844 if (is_critical()) { 838 if (is_critical()) {
845 EXPECT_EQ(GENERAL_NAME_RFC822_NAME, 839 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
846 name_constraints->ConstrainedNameTypes()); 840 name_constraints->ConstrainedNameTypes());
847 } else { 841 } else {
848 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 842 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
849 } 843 }
850 844
851 std::string san; 845 std::string san;
852 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); 846 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san));
853 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( 847 EXPECT_EQ(!is_critical(),
854 der::Input(), InputFromString(&san))); 848 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
855 } 849 }
856 850
857 TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) { 851 TEST_P(ParseNameConstraints, Rfc822NamesInExcluded) {
858 std::string constraints_der; 852 std::string constraints_der;
859 ASSERT_TRUE( 853 ASSERT_TRUE(
860 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der)); 854 LoadTestNameConstraint("rfc822name-excluded.pem", &constraints_der));
861 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 855 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
862 InputFromString(&constraints_der), is_critical())); 856 der::Input(&constraints_der), is_critical()));
863 ASSERT_TRUE(name_constraints); 857 ASSERT_TRUE(name_constraints);
864 858
865 if (is_critical()) { 859 if (is_critical()) {
866 EXPECT_EQ(GENERAL_NAME_RFC822_NAME, 860 EXPECT_EQ(GENERAL_NAME_RFC822_NAME,
867 name_constraints->ConstrainedNameTypes()); 861 name_constraints->ConstrainedNameTypes());
868 } else { 862 } else {
869 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 863 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
870 } 864 }
871 865
872 std::string san; 866 std::string san;
873 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san)); 867 ASSERT_TRUE(LoadTestSubjectAltName("san-rfc822name.pem", &san));
874 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( 868 EXPECT_EQ(!is_critical(),
875 der::Input(), InputFromString(&san))); 869 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
876 } 870 }
877 871
878 TEST_P(ParseNameConstraints, X400AddresssInPermitted) { 872 TEST_P(ParseNameConstraints, X400AddresssInPermitted) {
879 std::string constraints_der; 873 std::string constraints_der;
880 ASSERT_TRUE( 874 ASSERT_TRUE(
881 LoadTestNameConstraint("x400address-permitted.pem", &constraints_der)); 875 LoadTestNameConstraint("x400address-permitted.pem", &constraints_der));
882 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 876 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
883 InputFromString(&constraints_der), is_critical())); 877 der::Input(&constraints_der), is_critical()));
884 ASSERT_TRUE(name_constraints); 878 ASSERT_TRUE(name_constraints);
885 879
886 if (is_critical()) { 880 if (is_critical()) {
887 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, 881 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
888 name_constraints->ConstrainedNameTypes()); 882 name_constraints->ConstrainedNameTypes());
889 } else { 883 } else {
890 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 884 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
891 } 885 }
892 886
893 std::string san; 887 std::string san;
894 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); 888 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san));
895 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( 889 EXPECT_EQ(!is_critical(),
896 der::Input(), InputFromString(&san))); 890 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
897 } 891 }
898 892
899 TEST_P(ParseNameConstraints, X400AddresssInExcluded) { 893 TEST_P(ParseNameConstraints, X400AddresssInExcluded) {
900 std::string constraints_der; 894 std::string constraints_der;
901 ASSERT_TRUE( 895 ASSERT_TRUE(
902 LoadTestNameConstraint("x400address-excluded.pem", &constraints_der)); 896 LoadTestNameConstraint("x400address-excluded.pem", &constraints_der));
903 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 897 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
904 InputFromString(&constraints_der), is_critical())); 898 der::Input(&constraints_der), is_critical()));
905 ASSERT_TRUE(name_constraints); 899 ASSERT_TRUE(name_constraints);
906 900
907 if (is_critical()) { 901 if (is_critical()) {
908 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS, 902 EXPECT_EQ(GENERAL_NAME_X400_ADDRESS,
909 name_constraints->ConstrainedNameTypes()); 903 name_constraints->ConstrainedNameTypes());
910 } else { 904 } else {
911 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 905 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
912 } 906 }
913 907
914 std::string san; 908 std::string san;
915 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san)); 909 ASSERT_TRUE(LoadTestSubjectAltName("san-x400address.pem", &san));
916 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( 910 EXPECT_EQ(!is_critical(),
917 der::Input(), InputFromString(&san))); 911 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
918 } 912 }
919 913
920 TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) { 914 TEST_P(ParseNameConstraints, EdiPartyNamesInPermitted) {
921 std::string constraints_der; 915 std::string constraints_der;
922 ASSERT_TRUE( 916 ASSERT_TRUE(
923 LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der)); 917 LoadTestNameConstraint("edipartyname-permitted.pem", &constraints_der));
924 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 918 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
925 InputFromString(&constraints_der), is_critical())); 919 der::Input(&constraints_der), is_critical()));
926 ASSERT_TRUE(name_constraints); 920 ASSERT_TRUE(name_constraints);
927 921
928 if (is_critical()) { 922 if (is_critical()) {
929 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, 923 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
930 name_constraints->ConstrainedNameTypes()); 924 name_constraints->ConstrainedNameTypes());
931 } else { 925 } else {
932 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 926 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
933 } 927 }
934 928
935 std::string san; 929 std::string san;
936 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); 930 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san));
937 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( 931 EXPECT_EQ(!is_critical(),
938 der::Input(), InputFromString(&san))); 932 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
939 } 933 }
940 934
941 TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) { 935 TEST_P(ParseNameConstraints, EdiPartyNamesInExcluded) {
942 std::string constraints_der; 936 std::string constraints_der;
943 ASSERT_TRUE( 937 ASSERT_TRUE(
944 LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der)); 938 LoadTestNameConstraint("edipartyname-excluded.pem", &constraints_der));
945 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 939 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
946 InputFromString(&constraints_der), is_critical())); 940 der::Input(&constraints_der), is_critical()));
947 ASSERT_TRUE(name_constraints); 941 ASSERT_TRUE(name_constraints);
948 942
949 if (is_critical()) { 943 if (is_critical()) {
950 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME, 944 EXPECT_EQ(GENERAL_NAME_EDI_PARTY_NAME,
951 name_constraints->ConstrainedNameTypes()); 945 name_constraints->ConstrainedNameTypes());
952 } else { 946 } else {
953 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 947 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
954 } 948 }
955 949
956 std::string san; 950 std::string san;
957 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san)); 951 ASSERT_TRUE(LoadTestSubjectAltName("san-edipartyname.pem", &san));
958 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( 952 EXPECT_EQ(!is_critical(),
959 der::Input(), InputFromString(&san))); 953 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
960 } 954 }
961 955
962 TEST_P(ParseNameConstraints, URIsInPermitted) { 956 TEST_P(ParseNameConstraints, URIsInPermitted) {
963 std::string constraints_der; 957 std::string constraints_der;
964 ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der)); 958 ASSERT_TRUE(LoadTestNameConstraint("uri-permitted.pem", &constraints_der));
965 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 959 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
966 InputFromString(&constraints_der), is_critical())); 960 der::Input(&constraints_der), is_critical()));
967 ASSERT_TRUE(name_constraints); 961 ASSERT_TRUE(name_constraints);
968 962
969 if (is_critical()) { 963 if (is_critical()) {
970 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER, 964 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
971 name_constraints->ConstrainedNameTypes()); 965 name_constraints->ConstrainedNameTypes());
972 } else { 966 } else {
973 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 967 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
974 } 968 }
975 969
976 std::string san; 970 std::string san;
977 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); 971 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san));
978 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( 972 EXPECT_EQ(!is_critical(),
979 der::Input(), InputFromString(&san))); 973 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
980 } 974 }
981 975
982 TEST_P(ParseNameConstraints, URIsInExcluded) { 976 TEST_P(ParseNameConstraints, URIsInExcluded) {
983 std::string constraints_der; 977 std::string constraints_der;
984 ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der)); 978 ASSERT_TRUE(LoadTestNameConstraint("uri-excluded.pem", &constraints_der));
985 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 979 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
986 InputFromString(&constraints_der), is_critical())); 980 der::Input(&constraints_der), is_critical()));
987 ASSERT_TRUE(name_constraints); 981 ASSERT_TRUE(name_constraints);
988 982
989 if (is_critical()) { 983 if (is_critical()) {
990 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER, 984 EXPECT_EQ(GENERAL_NAME_UNIFORM_RESOURCE_IDENTIFIER,
991 name_constraints->ConstrainedNameTypes()); 985 name_constraints->ConstrainedNameTypes());
992 } else { 986 } else {
993 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 987 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
994 } 988 }
995 989
996 std::string san; 990 std::string san;
997 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san)); 991 ASSERT_TRUE(LoadTestSubjectAltName("san-uri.pem", &san));
998 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( 992 EXPECT_EQ(!is_critical(),
999 der::Input(), InputFromString(&san))); 993 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
1000 } 994 }
1001 995
1002 TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) { 996 TEST_P(ParseNameConstraints, RegisteredIDsInPermitted) {
1003 std::string constraints_der; 997 std::string constraints_der;
1004 ASSERT_TRUE( 998 ASSERT_TRUE(
1005 LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der)); 999 LoadTestNameConstraint("registeredid-permitted.pem", &constraints_der));
1006 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 1000 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1007 InputFromString(&constraints_der), is_critical())); 1001 der::Input(&constraints_der), is_critical()));
1008 ASSERT_TRUE(name_constraints); 1002 ASSERT_TRUE(name_constraints);
1009 1003
1010 if (is_critical()) { 1004 if (is_critical()) {
1011 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, 1005 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
1012 name_constraints->ConstrainedNameTypes()); 1006 name_constraints->ConstrainedNameTypes());
1013 } else { 1007 } else {
1014 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 1008 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
1015 } 1009 }
1016 1010
1017 std::string san; 1011 std::string san;
1018 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); 1012 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san));
1019 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( 1013 EXPECT_EQ(!is_critical(),
1020 der::Input(), InputFromString(&san))); 1014 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
1021 } 1015 }
1022 1016
1023 TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) { 1017 TEST_P(ParseNameConstraints, RegisteredIDsInExcluded) {
1024 std::string constraints_der; 1018 std::string constraints_der;
1025 ASSERT_TRUE( 1019 ASSERT_TRUE(
1026 LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der)); 1020 LoadTestNameConstraint("registeredid-excluded.pem", &constraints_der));
1027 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 1021 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1028 InputFromString(&constraints_der), is_critical())); 1022 der::Input(&constraints_der), is_critical()));
1029 ASSERT_TRUE(name_constraints); 1023 ASSERT_TRUE(name_constraints);
1030 1024
1031 if (is_critical()) { 1025 if (is_critical()) {
1032 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID, 1026 EXPECT_EQ(GENERAL_NAME_REGISTERED_ID,
1033 name_constraints->ConstrainedNameTypes()); 1027 name_constraints->ConstrainedNameTypes());
1034 } else { 1028 } else {
1035 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes()); 1029 EXPECT_EQ(0, name_constraints->ConstrainedNameTypes());
1036 } 1030 }
1037 1031
1038 std::string san; 1032 std::string san;
1039 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san)); 1033 ASSERT_TRUE(LoadTestSubjectAltName("san-registeredid.pem", &san));
1040 EXPECT_EQ(!is_critical(), name_constraints->IsPermittedCert( 1034 EXPECT_EQ(!is_critical(),
1041 der::Input(), InputFromString(&san))); 1035 name_constraints->IsPermittedCert(der::Input(), der::Input(&san)));
1042 } 1036 }
1043 1037
1044 TEST_P(ParseNameConstraints, 1038 TEST_P(ParseNameConstraints,
1045 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily) { 1039 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarily) {
1046 std::string constraints_der; 1040 std::string constraints_der;
1047 ASSERT_TRUE( 1041 ASSERT_TRUE(
1048 LoadTestNameConstraint("dnsname-with_min_0.pem", &constraints_der)); 1042 LoadTestNameConstraint("dnsname-with_min_0.pem", &constraints_der));
1049 // The value should not be in the DER encoding if it is the default. But this 1043 // The value should not be in the DER encoding if it is the default. But this
1050 // could be changed to allowed if there are buggy encoders out there that 1044 // could be changed to allowed if there are buggy encoders out there that
1051 // include it anyway. 1045 // include it anyway.
1052 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der), 1046 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der),
1053 is_critical())); 1047 is_critical()));
1054 } 1048 }
1055 1049
1056 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) { 1050 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimum) {
1057 std::string constraints_der; 1051 std::string constraints_der;
1058 ASSERT_TRUE( 1052 ASSERT_TRUE(
1059 LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der)); 1053 LoadTestNameConstraint("dnsname-with_min_1.pem", &constraints_der));
1060 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der), 1054 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der),
1061 is_critical())); 1055 is_critical()));
1062 } 1056 }
1063 1057
1064 TEST_P(ParseNameConstraints, 1058 TEST_P(ParseNameConstraints,
1065 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum) { 1059 failsOnGeneralSubtreeWithMinimumZeroEncodedUnnecessarilyAndMaximum) {
1066 std::string constraints_der; 1060 std::string constraints_der;
1067 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem", 1061 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_0_and_max.pem",
1068 &constraints_der)); 1062 &constraints_der));
1069 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der), 1063 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der),
1070 is_critical())); 1064 is_critical()));
1071 } 1065 }
1072 1066
1073 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) { 1067 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMinimumAndMaximum) {
1074 std::string constraints_der; 1068 std::string constraints_der;
1075 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem", 1069 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_min_1_and_max.pem",
1076 &constraints_der)); 1070 &constraints_der));
1077 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der), 1071 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der),
1078 is_critical())); 1072 is_critical()));
1079 } 1073 }
1080 1074
1081 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) { 1075 TEST_P(ParseNameConstraints, FailsOnGeneralSubtreeWithMaximum) {
1082 std::string constraints_der; 1076 std::string constraints_der;
1083 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der)); 1077 ASSERT_TRUE(LoadTestNameConstraint("dnsname-with_max.pem", &constraints_der));
1084 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der), 1078 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der),
1085 is_critical())); 1079 is_critical()));
1086 } 1080 }
1087 1081
1088 TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) { 1082 TEST_P(ParseNameConstraints, FailsOnEmptyExtensionValue) {
1089 std::string constraints_der = ""; 1083 std::string constraints_der = "";
1090 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der), 1084 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der),
1091 is_critical())); 1085 is_critical()));
1092 } 1086 }
1093 1087
1094 TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) { 1088 TEST_P(ParseNameConstraints, FailsOnNoPermittedAndExcluded) {
1095 std::string constraints_der; 1089 std::string constraints_der;
1096 ASSERT_TRUE( 1090 ASSERT_TRUE(
1097 LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der)); 1091 LoadTestNameConstraint("invalid-no_subtrees.pem", &constraints_der));
1098 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der), 1092 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der),
1099 is_critical())); 1093 is_critical()));
1100 } 1094 }
1101 1095
1102 TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) { 1096 TEST_P(ParseNameConstraints, FailsOnEmptyPermitted) {
1103 std::string constraints_der; 1097 std::string constraints_der;
1104 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem", 1098 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_permitted_subtree.pem",
1105 &constraints_der)); 1099 &constraints_der));
1106 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der), 1100 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der),
1107 is_critical())); 1101 is_critical()));
1108 } 1102 }
1109 1103
1110 TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) { 1104 TEST_P(ParseNameConstraints, FailsOnEmptyExcluded) {
1111 std::string constraints_der; 1105 std::string constraints_der;
1112 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem", 1106 ASSERT_TRUE(LoadTestNameConstraint("invalid-empty_excluded_subtree.pem",
1113 &constraints_der)); 1107 &constraints_der));
1114 EXPECT_FALSE(NameConstraints::CreateFromDer(InputFromString(&constraints_der), 1108 EXPECT_FALSE(NameConstraints::CreateFromDer(der::Input(&constraints_der),
1115 is_critical())); 1109 is_critical()));
1116 } 1110 }
1117 1111
1118 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) { 1112 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsOk) {
1119 std::string constraints_der; 1113 std::string constraints_der;
1120 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der)); 1114 ASSERT_TRUE(LoadTestNameConstraint("directoryname.pem", &constraints_der));
1121 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 1115 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1122 InputFromString(&constraints_der), is_critical())); 1116 der::Input(&constraints_der), is_critical()));
1123 ASSERT_TRUE(name_constraints); 1117 ASSERT_TRUE(name_constraints);
1124 1118
1125 std::string name_us_arizona_email; 1119 std::string name_us_arizona_email;
1126 ASSERT_TRUE( 1120 ASSERT_TRUE(
1127 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email)); 1121 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email));
1128 1122
1129 // Name constraints don't contain rfc822Name, so emailAddress in subject is 1123 // Name constraints don't contain rfc822Name, so emailAddress in subject is
1130 // allowed regardless. 1124 // allowed regardless.
1131 EXPECT_TRUE(name_constraints->IsPermittedCert( 1125 EXPECT_TRUE(name_constraints->IsPermittedCert(
1132 SequenceValueFromString(&name_us_arizona_email), der::Input())); 1126 SequenceValueFromString(&name_us_arizona_email), der::Input()));
1133 } 1127 }
1134 1128
1135 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) { 1129 TEST_P(ParseNameConstraints, IsPermittedCertSubjectEmailAddressIsNotOk) {
1136 std::string constraints_der; 1130 std::string constraints_der;
1137 ASSERT_TRUE( 1131 ASSERT_TRUE(
1138 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der)); 1132 LoadTestNameConstraint("rfc822name-permitted.pem", &constraints_der));
1139 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 1133 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1140 InputFromString(&constraints_der), is_critical())); 1134 der::Input(&constraints_der), is_critical()));
1141 ASSERT_TRUE(name_constraints); 1135 ASSERT_TRUE(name_constraints);
1142 1136
1143 std::string name_us_arizona_email; 1137 std::string name_us_arizona_email;
1144 ASSERT_TRUE( 1138 ASSERT_TRUE(
1145 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email)); 1139 LoadTestName("name-us-arizona-email.pem", &name_us_arizona_email));
1146 1140
1147 // Name constraints contain rfc822Name, so emailAddress in subject is not 1141 // Name constraints contain rfc822Name, so emailAddress in subject is not
1148 // allowed if the constraints were critical. 1142 // allowed if the constraints were critical.
1149 EXPECT_EQ(!is_critical(), 1143 EXPECT_EQ(!is_critical(),
1150 name_constraints->IsPermittedCert( 1144 name_constraints->IsPermittedCert(
1151 SequenceValueFromString(&name_us_arizona_email), der::Input())); 1145 SequenceValueFromString(&name_us_arizona_email), der::Input()));
1152 } 1146 }
1153 1147
1154 // Hostname in commonName is not allowed (crbug.com/308330), so these are tests 1148 // Hostname in commonName is not allowed (crbug.com/308330), so these are tests
1155 // are not particularly interesting, just verifying that the commonName is 1149 // are not particularly interesting, just verifying that the commonName is
1156 // ignored for dNSName constraints. 1150 // ignored for dNSName constraints.
1157 TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) { 1151 TEST_P(ParseNameConstraints, IsPermittedCertSubjectDnsNames) {
1158 std::string constraints_der; 1152 std::string constraints_der;
1159 ASSERT_TRUE(LoadTestNameConstraint("directoryname_and_dnsname.pem", 1153 ASSERT_TRUE(LoadTestNameConstraint("directoryname_and_dnsname.pem",
1160 &constraints_der)); 1154 &constraints_der));
1161 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 1155 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1162 InputFromString(&constraints_der), is_critical())); 1156 der::Input(&constraints_der), is_critical()));
1163 ASSERT_TRUE(name_constraints); 1157 ASSERT_TRUE(name_constraints);
1164 1158
1165 std::string name_us_az_foocom; 1159 std::string name_us_az_foocom;
1166 ASSERT_TRUE(LoadTestName("name-us-arizona-foo.com.pem", &name_us_az_foocom)); 1160 ASSERT_TRUE(LoadTestName("name-us-arizona-foo.com.pem", &name_us_az_foocom));
1167 // The subject is within permitted directoryName constraints, so permitted. 1161 // The subject is within permitted directoryName constraints, so permitted.
1168 // (The commonName hostname is not within permitted dNSName constraints, so 1162 // (The commonName hostname is not within permitted dNSName constraints, so
1169 // this would not be permitted if hostnames in commonName were checked.) 1163 // this would not be permitted if hostnames in commonName were checked.)
1170 EXPECT_TRUE(name_constraints->IsPermittedCert( 1164 EXPECT_TRUE(name_constraints->IsPermittedCert(
1171 SequenceValueFromString(&name_us_az_foocom), der::Input())); 1165 SequenceValueFromString(&name_us_az_foocom), der::Input()));
1172 1166
(...skipping 17 matching lines...) Expand all
1190 } 1184 }
1191 1185
1192 // IP addresses in commonName are not allowed (crbug.com/308330), so these are 1186 // IP addresses in commonName are not allowed (crbug.com/308330), so these are
1193 // tests are not particularly interesting, just verifying that the commonName is 1187 // tests are not particularly interesting, just verifying that the commonName is
1194 // ignored for iPAddress constraints. 1188 // ignored for iPAddress constraints.
1195 TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) { 1189 TEST_P(ParseNameConstraints, IsPermittedCertSubjectIpAddresses) {
1196 std::string constraints_der; 1190 std::string constraints_der;
1197 ASSERT_TRUE(LoadTestNameConstraint( 1191 ASSERT_TRUE(LoadTestNameConstraint(
1198 "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der)); 1192 "directoryname_and_dnsname_and_ipaddress.pem", &constraints_der));
1199 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 1193 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1200 InputFromString(&constraints_der), is_critical())); 1194 der::Input(&constraints_der), is_critical()));
1201 ASSERT_TRUE(name_constraints); 1195 ASSERT_TRUE(name_constraints);
1202 1196
1203 std::string name_us_az_1_1_1_1; 1197 std::string name_us_az_1_1_1_1;
1204 ASSERT_TRUE(LoadTestName("name-us-arizona-1.1.1.1.pem", &name_us_az_1_1_1_1)); 1198 ASSERT_TRUE(LoadTestName("name-us-arizona-1.1.1.1.pem", &name_us_az_1_1_1_1));
1205 // The subject is within permitted directoryName constraints, so permitted. 1199 // The subject is within permitted directoryName constraints, so permitted.
1206 // (The commonName IP address is not within permitted iPAddresses constraints, 1200 // (The commonName IP address is not within permitted iPAddresses constraints,
1207 // so this would not be permitted if IP addresses in commonName were checked.) 1201 // so this would not be permitted if IP addresses in commonName were checked.)
1208 EXPECT_TRUE(name_constraints->IsPermittedCert( 1202 EXPECT_TRUE(name_constraints->IsPermittedCert(
1209 SequenceValueFromString(&name_us_az_1_1_1_1), der::Input())); 1203 SequenceValueFromString(&name_us_az_1_1_1_1), der::Input()));
1210 1204
(...skipping 21 matching lines...) Expand all
1232 // (The commonName is an ipv6 address which wasn't supported in the past, but 1226 // (The commonName is an ipv6 address which wasn't supported in the past, but
1233 // since commonName checking is ignored entirely, this is permitted.) 1227 // since commonName checking is ignored entirely, this is permitted.)
1234 EXPECT_TRUE(name_constraints->IsPermittedCert( 1228 EXPECT_TRUE(name_constraints->IsPermittedCert(
1235 SequenceValueFromString(&name_us_az_ipv6), der::Input())); 1229 SequenceValueFromString(&name_us_az_ipv6), der::Input()));
1236 } 1230 }
1237 1231
1238 TEST_P(ParseNameConstraints, IsPermittedCertFailsOnEmptySubjectAltName) { 1232 TEST_P(ParseNameConstraints, IsPermittedCertFailsOnEmptySubjectAltName) {
1239 std::string constraints_der; 1233 std::string constraints_der;
1240 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &constraints_der)); 1234 ASSERT_TRUE(LoadTestNameConstraint("dnsname.pem", &constraints_der));
1241 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 1235 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1242 InputFromString(&constraints_der), is_critical())); 1236 der::Input(&constraints_der), is_critical()));
1243 ASSERT_TRUE(name_constraints); 1237 ASSERT_TRUE(name_constraints);
1244 1238
1245 std::string name_us_az; 1239 std::string name_us_az;
1246 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az)); 1240 ASSERT_TRUE(LoadTestName("name-us-arizona.pem", &name_us_az));
1247 1241
1248 // No constraints on directoryName type, so name_us_az should be allowed when 1242 // No constraints on directoryName type, so name_us_az should be allowed when
1249 // subjectAltName is not present. 1243 // subjectAltName is not present.
1250 EXPECT_TRUE(name_constraints->IsPermittedCert( 1244 EXPECT_TRUE(name_constraints->IsPermittedCert(
1251 SequenceValueFromString(&name_us_az), der::Input())); 1245 SequenceValueFromString(&name_us_az), der::Input()));
1252 1246
1253 std::string san; 1247 std::string san;
1254 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-empty.pem", &san)); 1248 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-empty.pem", &san));
1255 // Should fail if subjectAltName is present but empty. 1249 // Should fail if subjectAltName is present but empty.
1256 EXPECT_FALSE(name_constraints->IsPermittedCert( 1250 EXPECT_FALSE(name_constraints->IsPermittedCert(
1257 SequenceValueFromString(&name_us_az), InputFromString(&san))); 1251 SequenceValueFromString(&name_us_az), der::Input(&san)));
1258 } 1252 }
1259 1253
1260 TEST_P(ParseNameConstraints, IsPermittedCertFailsOnInvalidIpInSubjectAltName) { 1254 TEST_P(ParseNameConstraints, IsPermittedCertFailsOnInvalidIpInSubjectAltName) {
1261 std::string constraints_der; 1255 std::string constraints_der;
1262 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &constraints_der)); 1256 ASSERT_TRUE(LoadTestNameConstraint("ipaddress.pem", &constraints_der));
1263 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer( 1257 scoped_ptr<NameConstraints> name_constraints(NameConstraints::CreateFromDer(
1264 InputFromString(&constraints_der), is_critical())); 1258 der::Input(&constraints_der), is_critical()));
1265 ASSERT_TRUE(name_constraints); 1259 ASSERT_TRUE(name_constraints);
1266 1260
1267 std::string name_us_az_192_168_1_1; 1261 std::string name_us_az_192_168_1_1;
1268 ASSERT_TRUE( 1262 ASSERT_TRUE(
1269 LoadTestName("name-us-arizona-192.168.1.1.pem", &name_us_az_192_168_1_1)); 1263 LoadTestName("name-us-arizona-192.168.1.1.pem", &name_us_az_192_168_1_1));
1270 1264
1271 // Without the invalid subjectAltName, it passes. 1265 // Without the invalid subjectAltName, it passes.
1272 EXPECT_TRUE(name_constraints->IsPermittedCert( 1266 EXPECT_TRUE(name_constraints->IsPermittedCert(
1273 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input())); 1267 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input()));
1274 1268
1275 std::string san; 1269 std::string san;
1276 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-ipaddress.pem", &san)); 1270 ASSERT_TRUE(LoadTestSubjectAltName("san-invalid-ipaddress.pem", &san));
1277 // Should fail if subjectAltName contains an invalid ip address. 1271 // Should fail if subjectAltName contains an invalid ip address.
1278 EXPECT_FALSE(name_constraints->IsPermittedCert( 1272 EXPECT_FALSE(name_constraints->IsPermittedCert(
1279 SequenceValueFromString(&name_us_az_192_168_1_1), InputFromString(&san))); 1273 SequenceValueFromString(&name_us_az_192_168_1_1), der::Input(&san)));
1280 } 1274 }
1281 1275
1282 } // namespace net 1276 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/certificate_policies_unittest.cc ('k') | net/cert/internal/parse_certificate_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698